-
Notifications
You must be signed in to change notification settings - Fork 102
Failed to validate Webhook event BILLING.PLAN.CREATED #798
Comments
This is my verification code public function validateWebhook($webhookid)
{
$headers = array_change_key_case(getallheaders(), CASE_UPPER);
$body = file_get_contents('php://input');
$sigVer = new VerifyWebhookSignature();
$sigVer->setWebhookId($webhookid);
$sigVer->setAuthAlgo($headers['PAYPAL-AUTH-ALGO']);
$sigVer->setTransmissionId($headers['PAYPAL-TRANSMISSION-ID']);
$sigVer->setCertUrl($headers['PAYPAL-CERT-URL']);
$sigVer->setTransmissionSig($headers['PAYPAL-TRANSMISSION-SIG']);
$sigVer->setTransmissionTime($headers['PAYPAL-TRANSMISSION-TIME']);
$webhookEvent = new WebhookEvent();
$webhookEvent->fromJson($body);
$sigVer->setWebhookEvent($webhookEvent);
$request = clone $sigVer;
try {
/** @var \PayPal\Api\VerifyWebhookSignatureResponse $output */
$this->log->debug('Posting VerifyWebhookSignature');
$this->log->debug($request->toJSON());
$output = $sigVer->post($this->apiContext);
$this->log->debug('Output from VerifyWebhookSignature', [$output]);
} catch (Exception $ex) {
$this->log->error($ex->getMessage());
$this->log->error('Exception Data: ' . $ex->getData());
throw $ex;
}
return $output->getVerificationStatus() === 'SUCCESS';
} and this is the log:
|
+1 - I can verify that I am seeing this same behaviour as well, caused by the same diff in links, and I'm on PHP 5.3 ( don't laugh, just pity me ) |
I have escalated this for further review, the validation won't work if the request body doesn't match. Thanks for the helpful difference showing the links being changed from empty array to empty object. |
Clearly there's a bug with the (un)serialization, but for this case only we could avoid the error just by avoiding Deserializing and serializing the body.. Of course, if the error its the deserialization there could be other undetected issues related to this |
I have seen similar issues with parsing the JSON request body then serializing back to JSON. The validation checksum is calculated from the JSON body as a string, not by validating the values in the fields. I learned this the hard way with my webhook listener changing 100.0 to 100. |
In
That's the problematic piece, IMHO. If you comment out this line, the event verifies properly. Of course, removing that might well break other things. |
Hey @TrevorAtITS ! This can cause issue for us in future. If any object in the APIs are introduced, it would come out as a We are overriding and making webhookVerification |
General information
PayPal-Debug-ID
values:Issue description
I am unable to validate a webhook request BILLING.PLAN.CREATED. The same implementation validates another event type (PAYMENT.SALE.COMPLETED) just perfect.. I've tracked the problem down to the bit that I think is causing the problem:
BILLING.PLAN.CREATED event contains a property named "plans" that contains a property named "links", this propery is an array of objects... as it comes empty, when I set the request body (as string) to the
$webhookEvent->fromJson()
method, it parses it as an object.. I found this out because I diffed both strings and came up with this:This code is where the error is coming
Full received body
Full posted body
The text was updated successfully, but these errors were encountered: